The Cumulate Purple Team module is an open framework that scales red team and pen-testing skills. It operationalizes the MITRE ATT&CK® framework to create, launch and automate custom attack scenarios. In addition to the extensive library of executions and scenarios provided out-of-the-box, red teams can craft or modify executions to create both simple and complex scenarios of atomic, combined, and chained executions. The module enables APT simulation, purple team exercises, incident response playbook exercises, pro-active threat hunting and to automate daily security assurance procedures and health checks.
Many companies have begun to engage in Purple Team exercises that test their incident response capabilities and their resilience to the Full Kill-Chain of an Advanced Persistent Threat (APT) or a subset of such tactics. The Cymulate Purple Team module takes BAS customization and automation to the next level to address and support these requirements.
The module enables SOC/Blue Teams with minimal adversarial skills, along with professional Red Teams, and pen-testers to create, store, modify, and execute both simple and sophisticated assessments using custom built or out-of-the-box templates – with the ability to leverage custom payloads and executions where desired – and is fully managed via API and/or a web-based GUI.
In advanced mode the module provides logic to chain executions for both input variables and dependencies using a visual layout editor. As an example, a chain could be comprised of the following:
- Dump LSASS using ProcDump to prepare it for Mimikatz.
- Use Mimikatz to get credentials (username, password, domain)
- Download PSexec using PS zip collection downloader
- Run a port scan to get the target host and ports
- Use PSexec with all the inputs and dependencies from the previous steps
Launch an Assessment
An assessment is a single “run” of the process created from a template. The assessment can be modified using the same GUI or API used to create templates to add additional executions or change parameters for this specific run. For example: alerts can be set and environment specific variables can be modified or set if they Templates can be a single chain of executions (such as the example above); but can also link together multiple chained executions to create more sophisticated attacks. The template is then mapped to show its coverage across the MITRE ATT&CK framework and saved for use in assessments